Picture opening your email one morning to find a notification that your full name, national ID number, and home address have been circulating on a dark web forum. You did nothing wrong. The institution that was supposed to protect your data simply failed to do so.
That’s not a hypothetical pulled from a thriller. According to Indonesia’s Ministry of Communication and Information Technology, 124 cases of alleged personal data protection violations were recorded between 2019 and May 2024 alone, with 111 classified as data breaches.
And that’s only what someone detected and reported. To understand the full scale of this threat, this article walks through 6 privacy breach examples drawn from real incidents, along with concrete lessons from each one.
What Is a Privacy Breach?
A privacy breach occurs when someone’s personal data is accessed, shared, or used without the owner’s consent. The culprit might be an unauthorized outsider like a hacker, but it can just as easily be the organization that was supposed to be responsible for protecting that data in the first place.
That distinction matters, and it’s frequently misunderstood. Many assume privacy breaches only happen through sophisticated external attacks, but internal negligence, selling data to third parties without consent, and using data outside its original purpose all fall into the same category.
Under Indonesia’s Personal Data Protection Law (Law No. 27 of 2022, known as UU PDP), a privacy breach covers any unauthorized action involving personal data: collection, processing, storage, or distribution. Anyone managing another person’s data, whether a company, government agency, or individual, has a clear legal obligation to protect it.
The forms a breach can take are wide-ranging. Some are technical, like a system intrusion. Some are social, like doxxing. Others are corporate, like misusing customer data for commercial gain without disclosure.
What makes this issue particularly difficult to recover from is that the damage doesn’t end when the breach is discovered. Once personal information spreads, its owner can face fraud, identity theft, harassment, and financial losses that are hard to fully undo.
6 Privacy Breach Examples
Privacy breaches don’t all look the same. Some come from organized cyberattacks. Others start with internal system failures. Some are carried out deliberately by individuals or corporations. The six examples below show how varied those threats can be.
1. BPJS Kesehatan Data Leak (2021)
In 2021, personal data belonging to approximately 279 million members of BPJS Kesehatan, Indonesia’s national health insurance program, an unknown party allegedly leaked and sold on dark web forums. The exposed data included full names, national ID numbers, phone numbers, addresses, and dependent information.
That figure exceeded Indonesia’s entire population at the time, meaning data of deceased individuals was also affected. The case showed that even a national-scale database can be vulnerable without strong encryption and strict access controls at every layer of the system.
2. Bank Syariah Indonesia Ransomware Attack (2023)
In May 2023, Bank Syariah Indonesia (BSI) fell victim to a ransomware attack the LockBit hacker group carried out. They claimed to have extracted around 1.5 TB of data containing records of 15 million customers, including account details, phone numbers, and internal company documents.
LockBit demanded USD 20 million to prevent the data from being published. The case illustrated that ransomware targeting financial institutions doesn’t just disrupt operations; it simultaneously threatens the confidentiality of millions of customers’ data.
3. Indonesia’s General Elections Commission (KPU) Voter Data Breach (2023)
In November 2023, a hacker using the alias “Jimbo” claimed to have accessed the permanent voter registry (DPT) from the systems of Indonesia’s General Elections Commission (KPU). After removing duplicates, the exposed data amounted to around 204 million entries, nearly matching the total number of registered voters in the 2024 election.
The data was listed for sale on Breach Forums at 2 Bitcoin, equivalent to roughly IDR 1.14 billion at the time. Breaches of this kind are particularly dangerous because they target civic infrastructure, and the potential for misuse runs wide: from identity fraud to public information manipulation.
4. Doxxing: Publishing Personal Data Without Consent
Doxxing is the act of publishing someone’s personal information, such as their home address, phone number, or workplace, without their consent. The goal is usually to humiliate or intimidate. Unlike hacking, it doesn’t require any technical skill to execute.
Attackers can piece together information from social media, public platforms, or data that was already leaked elsewhere. A common scenario: someone voices criticism publicly and later discovers their address and contact details have been shared across social media groups as a way to pressure them into silence.
5. Data Misuse by Third-Party Applications
Not every privacy violation comes from the outside. Apps installed and trusted for daily use sometimes collect far more data than necessary, then share it with third parties without the user’s knowledge.
This pattern became a global scandal in the Cambridge Analytica case (2018), where data from 87 million Facebook users was used for political profiling without clear consent. A similar pattern appears in illegal online lending apps in Indonesia, where accessing a user’s contact list and photo gallery became a tool for debt collection intimidation.
6. Phishing and Digital Identity Theft
Phishing is a form of fraud where attackers impersonate a trusted entity such as a bank, government agency, or e-commerce platform to trick victims into handing over their personal data voluntarily. It usually arrives via SMS, email, or a fake link designed to look exactly like a legitimate website.
Indonesia isn’t just a common target; it’s one of the most exposed countries in the region. A Kaspersky report found that in the first half of 2019, Indonesia ranked second in Southeast Asia with 14.3% of its users targeted by phishing attacks, reflecting roughly a 3.6% increase from the year before.
A typical example: someone receives a message claiming to be from their bank, asking them to “update their account details” through a provided link. Once they fill in the form, the attacker has immediate access to the victim’s account and can use it for transactions the owner never authorized.
Is Your Organization Prepared for a Privacy Compliance Audit?
Reading through these six cases, one question tends to surface: how ready is your organization if something similar happens? Data protection regulations, from Indonesia’s UU PDP to the EU’s GDPR, set specific obligations for every data controller, covering incident notification timelines, Data Protection Officer appointments, and more.
To help you get started, we’ve prepared a Personal Data Protection Compliance Checklist for Organizations that you can use directly as an internal audit guide.
Audit Readiness for the UU PDP: Risk Mitigation Strategy and Enterprise Data Governance
Evaluate your company’s readiness for a Personal Data Protection Law (UU PDP) audit using a 6-dimensional gap analysis method. Systematically identify gaps in data governance risks and build a legally compliant documentation foundation for Legal and IT teams.
Transformation of Data Governance and Integrated Compliance Management
Prepare all required data protection documents and move away from high-risk manual operational processes. Implement a centralized monitoring system to manage data subject rights automatically.
The Impact of Privacy Breaches on Individuals and Organizations
A privacy breach doesn’t end when the data stops spreading. The consequences that follow are often heavier than the incident itself, for both the individuals whose data was exposed and the organizations responsible for protecting it.
The impact also looks different depending on who bears it. For individuals, the consequences are personal and immediate. For organizations, they tend to be layered and touch multiple aspects of the business at once.
Impact on individuals:
When personal data is exposed, individuals absorb the consequences with very little ability to contain the damage. These are the most common outcomes.
- Fraud and identity theft risk: Leaked data Attackers can use leaked data to open fraudulent credit lines or drain bank accounts in the victim’s name.
- Harassment and psychological harm: In doxxing cases especially, victims often face direct threats that affect their sense of safety in daily life.
- Financial losses: Account recovery costs, fraudulent debt, and lengthy legal processes can add up quickly and take years to resolve.
Impact on organizations:
On the organizational side, the damage tends to be more complex because it touches legal, operational, and public trust dimensions at the same time.
- Reputational damage: Customer trust built over years can collapse within days once an incident becomes public.
- Legal sanctions and fines: Since Indonesia’s UU PDP took full effect in October 2024, organizations found negligent face administrative sanctions and potential criminal liability for responsible officials. Similar exposure exists under GDPR and other regional frameworks.
- Operational disruption: Attacks like ransomware can bring systems down for days, causing significant business losses.
- Recovery costs: Forensic investigation, system repairs, data subject notifications, and potential litigation all carry costs that aren’t small.
Conclusion
The six cases above point to a pattern that keeps repeating: privacy breaches can hit any organization, from any direction. No company is fully immune, and no dataset is too small to be worth targeting.
Understanding these cases isn’t just about knowing what went wrong in the past. It’s about recognizing that data protection requires active, ongoing effort, not a one-time policy document filed away and forgotten.
If your organization wants to make sure its data management practices meet current security standards and regulatory requirements, Adaptist Privee by Adaptist Consulting offers structured personal data protection consulting.
From UU PDP and GDPR compliance audits to privacy policy development and DPO appointment, our team is ready to help your organization build a solid data protection system before an incident forces your hand.
Ready to Manage Privacy Compliance as a Business Risk?
See how GRC helps map personal data risks, monitor compliance with the PDP Law, and prepare companies for audits without complicated manual processes.
FAQ
A data breach is one type of privacy breach, typically caused by an external attack or system failure. A privacy breach is broader and includes misuse of data by parties who actually have authorized access to it.
Yes. This can happen when a company uses or shares user data beyond what its privacy policy states. Selling data to third parties or using it for purposes users didn’t agree to at sign-up both qualify.
Change passwords for affected accounts immediately and enable two-factor authentication on all important platforms. The incident can also be reported to the relevant data protection authority or the organization that held your data.
Under Indonesia’s UU PDP, organizations must notify affected data subjects and relevant authorities within 14 days of discovering the breach. Under GDPR, that window is 72 hours. Failing to comply can result in administrative sanctions and significant fines.
The basics include data encryption, role-based access controls, and regular security audits. Appointing a Data Protection Officer (DPO) and running privacy awareness training for all staff both reduce risk in a meaningful, measurable way in a meaningful way.
